Allow vendor_init to write to misc_block_device
Vendors may use this to write custom messages to their bootloader, and
as the bootloader is under vendor control, this makes sense to allow.
Bug: 77881566
Test: build
Change-Id: I78f80400e5f386cad1327a9209ee1afc8e334e56
diff --git a/public/domain.te b/public/domain.te
index 4f02623..31345be 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -600,6 +600,7 @@
-init
-uncrypt
-update_engine
+ -vendor_init
-vold
-recovery
-ueventd
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0273925..362244e 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -146,6 +146,9 @@
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
+# Raw writes to misc block device
+allow vendor_init misc_block_device:blk_file w_file_perms;
+
not_compatible_property(`
set_prop(vendor_init, {
property_type